[fw-wiz] InfoSec's Waterloo and it's implications - Firewalls

This is a discussion on [fw-wiz] InfoSec's Waterloo and it's implications - Firewalls ; CSO magazine hit InfoSec professionals hard a couple of months ago when it
described the revelations and exposures of IT security failures in first
half of 2005 (largely courtesy of California state law S1386) as the
"Waterloo" -- the utter ...

[fw-wiz] InfoSec's Waterloo and it's implications

CSO magazine hit InfoSec professionals hard a couple of months ago when it
described the revelations and exposures of IT security failures in first
half of 2005 (largely courtesy of California state law S1386) as the
"Waterloo" -- the utter and historically devastating failure -- for
traditional InfoSec praxis, policy, and industrial politics.

It's a label that may stick, with potentially big implications for, among
others, CIOs, CISSOs, and wee supporting techies who manage institutional
security barriers like firewalls.

One response to this ongoing series of InfoSec debacles was the
little-noticed March 23 joint "Guidance" announcement -- from the five US
federal regulatory agencies for banks -- that all US banks are now required
to notify their customers in the event of a theft or unauthorized access to
data files containing personal information which could possibly be misused
against the customer. (See: )

CSO, in an erudite article entitled, "The Five Most Shocking Things About
the ChoicePoint Debacle," now offers a timely and informative follow-up on
the the ChoicePoint imbroglio. (See: .) An
interesting subtext here is that privacy -- an explosively potent issue
that both parties have effectively ducked -- has reemerged with the subtly
of Mt. Vesuvius.

Another less-surprising subtext is that today's corporate InfoSec
infrastructure -- both the "best practice" technology and policies, and the
corporate roles that manage it -- will have to change drastically to
successfully handle the new burdens of regulatory compliance.

With national ID cards (standardized driver licenses) now a done deal, a
federal "notification" bill seems inevitable, and a major new federal
privacy bill possible. The Clintonesque Center for American Progress just
published a notable essay, "Protecting Privacy in the Digital Age," which
argues that the Privacy Act of 1974 no longer really means anything, since
government now simply out-sources those actions which it isn't allowed to
take. (See: .)